Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Email is one of the primary ways people share information, connect with customers and get work done. It is also one of the easiest channels for risk to slip in. A mistyped address, an exposed attachment, a missed opt-out, or a rushed response to a phishing message can all lead to serious problems. That is why email compliance matters. It helps define how your organization handles email, what is allowed and how to report on activity when something goes wrong.

Google recently released Device-Bound Session Credentials (DBSC) for Google Chrome and Google Workspace. It is a long-awaited new security enhancement to fight back against local cookie theft. But, yes, it can still be hacked and phished. Nothing alone in cybersecurity is a complete panacea.

As reported in the latest Phishing Threat Trends Report (Vol. 7), attackers are increasingly using calendar invites to bypass traditional email defenses, with this vector surging 49% over the past six months. In this Threat Labs deep dive, our team goes behind the scenes to provide a detailed analysis of this escalating campaign. We break down the technical underpinnings and tactical shifts in a unique multi-vector attack that turns your trusted corporate schedule into an instrument of compromise.

Scammers are using legitimate hotel booking details to craft targeted phishing attacks, WIRED reports. Victims are far more likely to fall for a phishing attack if a message contains real information that they wouldn’t expect a scammer to know. According to researchers at Norton, this phishing campaign is targeting customers of at least 350 hotels and vacation rentals across 50 countries.

False positives can disrupt inbound email security as much as missed threats by slowing business workflows and eroding trust in security controls. As phishing attacks become more convincing, many systems respond by tightening filtering thresholds. But without enough context, this can lead to overblocking, where everyday business communication is misclassified as suspicious. Reducing false positives requires more than adjusting filters.

Researchers at Push Security have analyzed a phishing platform used by organized criminal threat actors like ShinyHunters and BlackFile, finding more than 400 domains linked to attacks launched by the phishing kit.

This article was originally published in Professional Security Magazine. Why are organizations still losing to phishing in 2026? Phishing has been the dominant attack vector for years. Despite this, organizations continue to be caught out by it. The UK government’s Cyber Security Breaches Survey 2026 confirms it remains the most prevalent and disruptive type of attack that businesses are facing. For those on the front line of incident response investigations globally, that finding is no surprise.

2026 has officially become the year of speed, scale and support. The delta between a phishing email landing and a full organizational compromise has shrunk to mere seconds. The reality by the numbers: To close this window, your defense strategy must evolve into a two-step strategy of accuracy and automation.